Using the dump event log utility

By Bryan Muehlberger, ITworld |  How-to

Have you ever needed to look for a certain event with the Event Viewer
logs? If you did, you probably went through the normal method - opening
the Event Log viewer, and performing a filter on the event ID you were
looking for. What if you had to do this on 100 servers? What would you
do? The solution would be to use the dump event log (dumpel.exe)
utility, which is included in the Windows 2000 Resource Kit.

This handy utility allows a systems administrator to dump the entire
event log or only portions of the event log. Recently I needed to find
out all instances of the Windows File Protection service within the
system log within the Event Viewer. The Windows File Protection (WFP)
service is activated when an application or user tries to replace a file
that is protected by the WFP service. I wanted to know when the WFP
service was activated and what files were being attempted to be
replaced. To do this, I issued the following command line inside of a
batch file against all of the servers I wanted to report on:

Dumpel.exe -l system -m "Windows File Protection" -s serverName -t >>

This dumped all of the events from the system log on serverName that
were generated by the source "Windows File Protection". By using the -t
option, I was able to export the data in tab-delimited format for easy
import into Excel. I was then able to sort the data and manipulate what
I was looking for.

One thing to note is that if you use the -f option, you can't
perform the dumpel.exe command on multiple servers because the file will
get overwritten each time. To get around this, I redirected the
standard output to a file by using the command line redirection syntax
'>>', which appends each command's output to the existing file.

Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question